Security testing overview

You can run security tests using Rational® AppScan Tester Edition directly from the Quality Manager.

Rational AppScan Tester Edition software is designed to help organizations distribute responsibility for security testing among multiple stakeholders and to help users test for vulnerabilities such as Cross-site scripting, buffer overflows, and SQL injection early in the Web application delivery lifecycle.

Security tests should be performed in a preproduction environment, such as on a staging server or a Quality Assurance server. This helps you better contain the risks associated with performing security scans. The preproduction environment should mirror the production environment as much as possible — the application should have the same executable files in both environments — so that you know you are thoroughly testing your exposed application.

Performing a security scan in a production environment is not recommended because of the risks associated with these scans. Sometimes it may be necessary to scan a production environment, perhaps to comply with audit requirements, to detect whether your site has been hacked, or to validate that the SDLC process for integrating security scans is being employed. Regardless of your reasons, it’s best to begin scanning a pre-production environment and then move the scan to your production environment. This will help to ensure that the security tests pose less risk to your servers.

Browser-based attacks use flaws in the Web-based application code. Software most vulnerable to these types of attacks includes:

Security scans should be integrated into your Software Development Lifecycle (SDLC) process so you can catch security issues before they make their way to your production environment.

For further information, see the Rational AppScan Tester Edition Information Center..


Feedback